Fusion Middleware Security – Search user in AD using OPSS

Oracle Platform Security Services (OPSS) provides enterprise product development teams, systems integrators (SIs), and independent software vendors (ISVs) with a standards-based, portable, integrated, enterprise-grade security framework for Java Standard Edition (Java SE) and Java Enterprise Edition (Java EE) applications.

OPSS provides an abstraction layer in the form of standards-based application programming interfaces (APIs) that insulate developers from security and identity management implementation details. With OPSS, developers don’t need to know the details of cryptographic key management or interfaces with user repositories and other identity management infrastructures. Thanks to OPSS, in-house developed applications, third-party applications, and integrated applications benefit from the same, uniform security, identity management, and audit services across the enterprise.

OPSS is the underlying security platform that provides security to Oracle Fusion Middleware including products like WebLogic Server, SOA, WebCenter, ADF, OES to name a few. OPSS is designed from the ground up to be portable to third-party application servers. As a result, developers can use OPSS as the single security framework for both Oracle and third-party environments, thus decreasing application development, administration, and maintenance costs.

Products which use OPSS

  1. Oracle WebLogic Server
  2. Oracle ADF
  3. Oracle WebCenter
  4. Oracle SOA
  5. Oracle Entitlement server
  6. Oracle WebService Manager
  7. Java Authorization for Containers (JAAC)
     

OPSS provides an integrated security platform that supports:

  • Authentication
  • Identity assertion
  • Authorization, based on fine-grained JAAS permissions
  • The specification and management of application policies
  • Secure storage and access of system credentials through the Credential Store Framework
  • Auditing
  • Role administration and role mappings
  • The User and Role API
  • Identity Virtualization
  • Security configuration and management
  • SAML and XACML
  • Oracle Security Developer Tools, including cryptography tools
  • Policy Management API
  • Java Authorization for Containers (JAAC)

 

OPSS Architecture

 


 

 

Now moving further with use of OPSS with ADF/WebCenter application. We have features , so that user can search user from LDAP using name, last name or email. How can we achieve that.

Something like below image.

 


 

 

 

User click on Search User-This will search in Active directory user mapped with WebLogic security provider.

 


 

In Search box, enter Name, Last Name or email and click on Search icon .


 

Or try with email

 


 

 

So you can add some more custom parameters with that and search it. Now we will focus how we did that.

Following is code to search with parameter in OPSS

 

    public List<userProfileId> getUserDetails() {
        if (this.userDetails.size() == 0) {

            if (peopleName != null) {
                try {

                    JpsContextFactory ctxFactory = JpsContextFactory.getContextFactory();
                    JpsContext ctx = ctxFactory.getContext();
                    LdapIdentityStore idstoreService =
                        (LdapIdentityStore) ctx.getServiceInstance(IdentityStoreService.class);
                    IdentityStore idmIdentityStore = idstoreService.getIdmStore();
                    //  User user = idmIdentityStore.searchUser(peopleName.getValue().toString());

                    if (peopleName.getValue() != null) {
                        SimpleSearchFilter simpleSearchFilter[] = new SimpleSearchFilter[3];

                        simpleSearchFilter[0] =
                            idmIdentityStore.getSimpleSearchFilter(UserProfile.LAST_NAME, SimpleSearchFilter.TYPE_EQUAL,
                                                                   peopleName.getValue().toString());
                        simpleSearchFilter[1] =
                            idmIdentityStore.getSimpleSearchFilter(UserProfile.BUSINESS_EMAIL,
                                                                   SimpleSearchFilter.TYPE_EQUAL,
                                                                   peopleName.getValue().toString());
                        simpleSearchFilter[2] =
                            idmIdentityStore.getSimpleSearchFilter(UserProfile.NAME, SimpleSearchFilter.TYPE_EQUAL,
                                                                   peopleName.getValue().toString());

                    
                    ComplexSearchFilter cf =
                        idmIdentityStore.getComplexSearchFilter(simpleSearchFilter, ComplexSearchFilter.TYPE_OR);
                    /* Creating Search Parameters with Complex Search Filters */
                    
                    SearchParameters spUser = new SearchParameters(cf, SearchParameters.SEARCH_USERS_ONLY);
                    SearchResponse searchResponse = idmIdentityStore.searchUsers(spUser);
                    while (searchResponse.hasNext()) {
                        System.out.println("Count " + searchResponse.getResultCount());
                        UserProfile up = (UserProfile) searchResponse.next();
                        System.out.println("User Profile:" + up.getPrincipal());
                        name = up.getName();
                        email = up.getBusinessEmail();
                        UserID = up.getLastName();
                        UserName = up.getUserName();
                        userDetails.add(new userProfileId(name, UserID, email, UserName));
                    }
                    }

                    //    uprofile.setUserDetailss(userDetails);
                    /*  UserProfile up = user.getUserProfile();*/

                } catch (JpsException e) {
                    e.printStackTrace();
                    System.out.println(e);

                } catch (IMException e) {
                    System.out.println(e);
                } catch (Exception e) {
                    System.out.println(e);
                }
            }
        }

        return userDetails;
    }

That’s it. You can use this following ocde in pure ADF or WebCenter Portal applications easily. Do let me know your thoughts.
Happy Learning with Techartifact.

Create user in OID

Using the Oracle-supplied Java SDK’s
The sample code below uses the OID SDK’s to bind to the OID directory server and then create a new user under a specific location in the directory tree.

import oracle.ldap.util.*;
import oracle.ldap.util.jndi.*;
import javax.naming.NamingException;
import javax.naming.directory.*;
import java.io.*;
import java.util.*;
 
public class NewUser
{
final static String ldapServerName = "mlc2.acme.org";
final static String ldapServerPort = "3060";
final static String rootdn = "cn=orcladmin";
final static String rootpass = "welcome1";
 
public static void main(String argv[]) throws NamingException
{
// Create the connection to the ldap server
InitialDirContext ctx = ConnectionUtil.getDefaultDirCtx(ldapServerName,
ldapServerPort,
rootdn,
rootpass);
 
// Create the subscriber object using the default subscriber
Subscriber mysub = null;
String [] mystr = null;
try {
RootOracleContext roc = new RootOracleContext(ctx);
mysub = roc.getSubscriber(ctx, Util.IDTYPE_DN, "dc=acme,dc=org", mystr);
}
catch (UtilException e) {
e.printStackTrace();
}
 
// Create ModPropertySet with user information
ModPropertySet mps = new ModPropertySet();
mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"givenname", "John");
mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"mail", "[email protected]");
mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"userpassword", "welcome1");
 
// Create the user
User newUser = null;
try {
newUser = mysub.createUser(ctx, mps, true);
System.out.println("New User DN: " + newUser.getDN(ctx));
}
catch (UtilException e) {
e.printStackTrace();
}
}
}

To use the above sample code do the following:
1. Save the above text indicated between the begin/end cut lines into a file named NewUser.java. Note that the filename and case are important and must be exactly NewUser.java unless the code has been modified.

2. Locate the Java Development Kit (JDK) on your system. For recent Oracle installations it should have been installed under $ORACLE_HOME/jdk but could be located elsewhere.

3. Compile the NewUser.java file into a binary NewUser.class file using the following command:

/bin/javac –classpath $ORACLE_HOME/jlib/ldapjclnt9.jar NewUser.java

Since the sample code makes use of the Oracle LDAP classes it is necessary to include the classpath parameter in the javac command. The above command should complete with no errors or output and should result in a file named NewUser.class being created.

4. Execute the resulting NewUser.class file using the following command:

/bin/java –cp .:$ORACLE_HOME/jlib/ldapjclnt9.jar NewUser

Note that this time there is NO extension specified (neither .java nor .class is used) and it must be executed from the same directory where the NewUser.class file is located. Again the file is case-sensitive and must be exactly as listed above. Make note of the –cp parameter as it includes the current directory and the location of the ldapjclnt9.jar file. It is necessary to include the “.:” (this is a period followed by a colon) in the –cp parameter for the program to execute correctly.

If the NewUser.class file executes it will print “New User DN: cn=john.doe,cn=Users,dc=acme,dc=org” to the screen. The user will be created within OID in the cn=users container of the default subscriber/realm. This user can then been seen via an ldapsearch or through Oracle Directory Manager (ODM).

If any errors are encountered (such as invalid user/pass, duplicate entry, etc… then an error message will be displayed. In this simple example the error messages are of very little help other than for indicating what part of the code failed. For example, if the user already existed then the following error will be displayed:

oracle.ldap.util.UtilException: NamingException encountered in ldapAdd [LDAP: error code 68 – Object alre
ady exists]
at oracle.ldap.util.Util.ldapAdd(Util.java:2016)
at oracle.ldap.util.Subscriber.createUser(Subscriber.java:1392)
at oracle.ldap.util.Subscriber.createUser(Subscriber.java:1315)
at NewUser.main(NewUser.java:46)

Using the Native Java JNDI Packages

The OID Java API documentation shows how to search and modify entries within an OID ldap server but does not give any examples or instructions for how to create a new entry in the ldap server. This example is very similar to the above java code but uses ONLY native java packages.

The sample code below uses the Java JNDI packages to bind to the OID directory server and then create a new user under a specific location in the directory tree. This code uses NO Oracle-specific Java function calls. The sample code uses only Java packages that are supplied by Sun’s Java Development Kit.

import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.*;
import java.util.*;
 
public class NewUser
{
final static String ldapServerName = "mlc2.acme.org";
final static String ldapServerPort = "4032";
final static String rootdn = "cn=orcladmin";
final static String rootpass = "welcome1";
final static String entryDn = "cn=javauser,cn=users,dc=acme,dc=org";
 
public static void main(String argv[]) throws NamingException
{
Properties env = new Properties();
env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
env.put( Context.PROVIDER_URL, "ldap://" + ldapServerName + ":" + ldapServerPort + "/");
env.put( Context.SECURITY_PRINCIPAL, rootdn );
env.put( Context.SECURITY_CREDENTIALS, rootpass );
DirContext ctx = new InitialDirContext(env);
 
// Create the objclassSet to hold all the entry's objectClasses.
BasicAttribute objclassSet = new BasicAttribute("objectclass");
objclassSet.add("person");
objclassSet.add("organizationalPerson");
objclassSet.add("inetOrgPerson");
objclassSet.add("top");
objclassSet.add("orcluser");
objclassSet.add("orcluserv2");
 
// load the attributes
BasicAttributes attrs = new BasicAttributes();
attrs.put(objclassSet);
attrs.put("mail", "[email protected]");
attrs.put("cn", "javauser");
attrs.put("sn", "Campbell");
attrs.put("givenname", "Mike");
attrs.put("uid", "javauser");
attrs.put("userpassword", "welcome1");
 
//create the user in OID
ctx.createSubcontext(entryDn, attrs);
}
}

To use the above sample code do the following:
1. Save the above text indicated between the begin/end cut lines into a file named NewUser.java. Note that the filename and case are important and must be exactly NewUser.java unless the code has been modified.

2. Locate the Java Development Kit (JDK) on your system. For recent Oracle installations it should have been installed under $ORACLE_HOME/jdk but could be located elsewhere.

3. Compile the NewUser.java file into a binary NewUser.class file using the following command:

/bin/javac NewUser.java

Since the sample code does not contain any Oracle-specific packages in it there is no need to specify any classpath. The above command should complete with no errors or output and should result in a file named NewUser.class being created.

4. Execute the resulting NewUser.class file using the following command:

/bin/java NewUser

Note that this time there is NO extension specified (neither .java nor .class is used) and it must be executed from the same directory where the NewUser.class file is located. Again the file is case-sensitive and must be exactly as listed above.

If the NewUser.class file executes successfully there will be no output written to the screen. The user will be created within OID in the location specified by the entryDN variable. This user can then been seen via an ldapsearch or through Oracle Directory Manager (ODM).

If any errors are encountered (such as invalid user/pass, duplicate entry, etc… then a Java exception will occur and a stack trace will be displayed showing the error. For example, if the user already existed then the following error will be displayed:

Adding user in specific Space in Webcenter

Small tip – To add user in space with some specified or custom role

Solution -If you are using PS6, this code will help you doing that.

    public void addMemberInSpace(String SpaceName, String userid) throws GroupSpaceWSException {
        
      
        logger.fine("Entering AddMember");
        try {
            GroupSpaceWSClient Gsclient = new GroupSpaceWSClient(contextData);

            String userRole = "CustomRole"; // You can define default role as admin, viewer, Moderator or some custom role as well
            GroupSpaceWSMembers memberData = new GroupSpaceWSMembers(userid, userRole);
            
            //Approval code will be added
            List<GroupSpaceWSMembers> addMem = new ArrayList<GroupSpaceWSMembers>();
            addMem.add(memberData);
            Gsclient.addMember(SpaceName, addMem);
            
        } catch (oracle.webcenter.spaces.ws.client.GroupSpaceWSException gsException) {
          
            throw gsException;
        } catch (Exception exception) {
          
            throw new GroupSpaceWSException("Exception caught during addMembership ", null, null, exception, null);
        }
       
    }

 

Happy Coding with techartifact….